Cyber Resilience

CVE-2026-40912

HighPublic PoCUpdated

Published: 30 April 2026

Published
30 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 7.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0077 51.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40912 is a high-severity Use of Incorrectly-Resolved Name or Reference (CWE-706) vulnerability in Traefik Traefik. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40912 is a high-severity authentication bypass vulnerability (CVSS 3.1 score of 8.2) affecting Traefik, an HTTP reverse proxy and load balancer. The issue resides in the StripPrefixRegex middleware when combined with ForwardAuth, BasicAuth, or DigestAuth, impacting versions prior to 2.11.43, 3.6.14, and 3.7.0-rc.2. Specifically, the middleware applies regex matching against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. If a dot (or multiple dots) appears in the URL prefix, the stripped raw path becomes a dot-segment (e.g., /./admin/secret) per RFC 3986, which evades protection mechanisms.

An unauthenticated network attacker (AV:N/AC:L/PR:N) can exploit this by crafting a request with dots in the prefix portion of a protected URL path. The dot-segment path is forwarded in the X-Forwarded-Uri header to ForwardAuth, which fails to match it against protected patterns, allowing the request to proceed. The backend then normalizes the dot-segment to the actual protected path, resulting in unauthorized access to sensitive content (C:H/I:L/A:N). This works against any backend performing dot-segment normalization as defined in RFC 3986.

Traefik has addressed the vulnerability in patched releases: version 2.11.43, 3.6.14, and 3.7.0-rc.2. Security practitioners should upgrade immediately to these versions, as detailed in the official GitHub release notes and security advisory (GHSA-6jwx-7vp4-9847). The issue is linked to CWE-706 (Use of Incorrectly-Resolved Name Into a Reference Chain).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches…

more

the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. /./admin/secret). ForwardAuth receives this dot-segment path in X-Forwarded-Uri, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 and serves the protected content An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in the public-facing Traefik reverse proxy/load balancer, directly enabling remote exploitation of a public-facing application by unauthenticated attackers crafting malicious requests to access protected resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32695Same product: Traefik Traefik
CVE-2026-35051Same product: Traefik Traefik
CVE-2025-54386Same product: Traefik Traefik
CVE-2026-39858Same product: Traefik Traefik
CVE-2026-29054Same product: Traefik Traefik
CVE-2026-33433Same product: Traefik Traefik
CVE-2026-25949Same product: Traefik Traefik
CVE-2026-22045Same product: Traefik Traefik
CVE-2026-26999Same product: Traefik Traefik
CVE-2025-65474Shared CWE-706

Affected Assets

traefik
traefik
3.7.0 · ≤ 2.11.43 · 3.0.0 — 3.6.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and remediation of software flaws like the StripPrefixRegex authentication bypass in vulnerable Traefik versions, preventing exploitation via patching.

prevent

Mandates validation of URL path inputs in the reverse proxy to detect and reject dot-segment evasions (e.g., /./admin/secret) before forwarding to authentication middlewares.

preventdetect

Controls communications at system boundaries through properly configured proxies or WAFs that enforce consistent URL path normalization and matching to block crafted requests evading ForwardAuth.

References